From: Mark Andrews Date: Fri, 20 Dec 2024 09:24:05 +0000 (+1100) Subject: Add stripped DNSKEY RRSIG senario X-Git-Tag: ondrej/lock-free-qpzone-reads-v1~60^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a71b61756650b0e1849d9e074c5f370a3067780b;p=thirdparty%2Fbind9.git Add stripped DNSKEY RRSIG senario --- diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 4cb21c18266..e0a54b43175 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -39,3 +39,5 @@ too-many-iterations. NS ns2.too-many-iterations. ns2.too-many-iterations. A 10.53.0.2 peer-ns-spoof NS ns2.peer-ns-spoof. ns2.peer-ns-spoof. A 10.53.0.2 +dnskey-rrsigs-stripped. NS ns2.dnskey-rrsigs-stripped. +ns2.dnskey-rrsigs-stripped. A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index b649cd4a095..ba35576c404 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -31,6 +31,7 @@ cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . cp "../ns2/dsset-lazy-ksk." . cp "../ns2/dsset-peer-ns-spoof." . +cp "../ns2/dsset-dnskey-rrsigs-stripped." . grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . diff --git a/bin/tests/system/dnssec/ns2/dnskey-rrsigs-stripped.db.in b/bin/tests/system/dnssec/ns2/dnskey-rrsigs-stripped.db.in new file mode 100644 index 00000000000..5fcc74dc94d --- /dev/null +++ b/bin/tests/system/dnssec/ns2/dnskey-rrsigs-stripped.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 310b46b3225..001731b012a 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -224,4 +224,9 @@ zone "peer.peer-ns-spoof" { file "peer.peer-ns-spoof.db.signed"; }; +zone "dnskey-rrsigs-stripped" { + type primary; + file "dnskey-rrsigs-stripped.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 106f67cbebe..19fbbf96348 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -387,3 +387,20 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$z zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# +# A zone with the DNSKEY RRSIGS stripped +# +zone=dnskey-rrsigs-stripped +infile=dnskey-rrsigs-stripped.db.in +zonefile=dnskey-rrsigs-stripped.db +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk '$4 == "RRSIG" && $5 == "DNSKEY" { next } { print }' >"$zonefile.stripped" +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk '$4 == "SOA" { $7 = $7 + 1; print; next } { print }' >"$zonefile.next" +"$SIGNER" -g -o "$zone" -f "$zonefile.next" "$zonefile.next" >/dev/null 2>&1 +cp "$zonefile.stripped" "$zonefile.signed" diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 254ba2a7500..2518cfda1cb 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -204,6 +204,29 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "checking recovery from stripped DNSKEY RRSIG ($n)" +ret=0 +# prime cache with DNSKEY without RRSIGs +dig_with_opts +noauth +cd dnskey-rrsigs-stripped. @10.53.0.4 dnskey >dig.out.prime.ns4.test$n || ret=1 +grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.DNSKEY" dig.out.prime.ns4.test$n >/dev/null && ret=1 +# reload server with properly signed zone +cp ns2/dnskey-rrsigs-stripped.db.next ns2/dnskey-rrsigs-stripped.db.signed +nextpart ns2/named.run >/dev/null +rndccmd 10.53.0.2 reload dnskey-rrsigs-stripped | sed 's/^/ns2 /' | cat_i +wait_for_log 5 "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1 +# make a query that flushes the unsigned DNSKEY RRset +dig_with_opts +noauth a.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +# make a second query that should now validate +dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index e00d160cd7b..d5811b1dbe6 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -50,6 +50,9 @@ pytestmark = pytest.mark.extra_artifacts( "ns2/cds-update.secure.id", "ns2/cds-x.secure.db", "ns2/cds.secure.db", + "ns2/dnskey-rrsigs-stripped.db", + "ns2/dnskey-rrsigs-stripped.db.next", + "ns2/dnskey-rrsigs-stripped.db.stripped", "ns2/example.db", "ns2/in-addr.arpa.db", "ns2/lazy-ksk.db",